fix(deps): update github.com/opencontainers/runtime-tools digest to 0ea5ed0

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

vendor/github.com/opencontainers/runtime-tools/generate/generate.go

@@ -8,10 +8,10 @@ import (
 	"os"
 	"strings"
 
+	"github.com/moby/sys/capability"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate/seccomp"
 	capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
-	"github.com/syndtr/gocapability/capability"
 )
 
 var (
@@ -1135,10 +1135,11 @@ func (g *Generator) ClearMounts() {
 func (g *Generator) SetupPrivileged(privileged bool) {
 	if privileged { // Add all capabilities in privileged mode.
 		var finalCapList []string
-		for _, cap := range capability.List() {
-			if g.HostSpecific && cap > capsCheck.LastCap() {
-				continue
-			}
+		capList := capability.ListKnown()
+		if g.HostSpecific {
+			capList, _ = capability.ListSupported()
+		}
+		for _, cap := range capList {
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
 		}
 		g.initConfigLinux()

vendor/github.com/opencontainers/runtime-tools/validate/capabilities/lastcap.go

@@ -0,0 +1,16 @@
+package capabilities
+
+import (
+	"github.com/moby/sys/capability"
+)
+
+// LastCap returns last cap of system.
+//
+// Deprecated: use github.com/moby/sys/capability.LastCap instead.
+func LastCap() capability.Cap {
+	last, err := capability.LastCap()
+	if err != nil {
+		return -1
+	}
+	return last
+}

vendor/github.com/opencontainers/runtime-tools/validate/capabilities/validate.go

@@ -3,29 +3,43 @@ package capabilities
 import (
 	"fmt"
 	"strings"
+	"sync"
 
-	"github.com/syndtr/gocapability/capability"
+	"github.com/moby/sys/capability"
 )
 
-// CapValid checks whether a capability is valid
+// CapValid checks whether a capability is valid. If hostSpecific is set,
+// it also checks that the capability is supported on the current host.
 func CapValid(c string, hostSpecific bool) error {
-	isValid := false
-
 	if !strings.HasPrefix(c, "CAP_") {
 		return fmt.Errorf("capability %s must start with CAP_", c)
 	}
-	for _, cap := range capability.List() {
-		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
-			if hostSpecific && cap > LastCap() {
-				return fmt.Errorf("%s is not supported on the current host", c)
-			}
-			isValid = true
-			break
-		}
-	}
 
-	if !isValid {
+	if _, ok := knownCaps()[c]; !ok {
 		return fmt.Errorf("invalid capability: %s", c)
 	}
+	if !hostSpecific {
+		return nil
+	}
+	if _, ok := supportedCaps()[c]; !ok {
+		return fmt.Errorf("%s is not supported on the current host", c)
+	}
 	return nil
 }
+
+func capSet(list []capability.Cap) map[string]struct{} {
+	m := make(map[string]struct{}, len(list))
+	for _, c := range list {
+		m["CAP_"+strings.ToUpper(c.String())] = struct{}{}
+	}
+	return m
+}
+
+var knownCaps = sync.OnceValue(func() map[string]struct{} {
+	return capSet(capability.ListKnown())
+})
+
+var supportedCaps = sync.OnceValue(func() map[string]struct{} {
+	list, _ := capability.ListSupported()
+	return capSet(list)
+})

vendor/github.com/opencontainers/runtime-tools/validate/capabilities/validate_linux.go

@@ -1,16 +0,0 @@
-package capabilities
-
-import (
-	"github.com/syndtr/gocapability/capability"
-)
-
-// LastCap return last cap of system
-func LastCap() capability.Cap {
-	last := capability.CAP_LAST_CAP
-	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
-	}
-
-	return last
-}

vendor/github.com/opencontainers/runtime-tools/validate/capabilities/validate_unsupported.go

@@ -1,13 +0,0 @@
-//go:build !linux
-// +build !linux
-
-package capabilities
-
-import (
-	"github.com/syndtr/gocapability/capability"
-)
-
-// LastCap return last cap of system
-func LastCap() capability.Cap {
-	return capability.Cap(-1)
-}